Following the Schrems II decision last year, there have been many questions about the status of international data transfers between the European Union and United States. The European Commission (the Commission) has now adopted a new set of Standard Contractual Clauses (SCCs) for international data transfers (the New SCCs), effective 25 June 2021. The New SCCs take into account some of the requirements under Schrems II and confirm how to carry out an assessment of a third country’s legal framework.
The New SCCs are more closely aligned with the requirements of the EU General Data Protection Regulation (GDPR) and more onerous in terms of scope and the number of obligations. As the old SSCs will be repealed on 24 September 2021 and all ongoing transfers will need to be updated to the New SCCs within the next 18 months, businesses need to consider how the changes apply to their data transfer scenarios and prepare to update their transfer arrangements.
The SCCs represent the most common safeguard for securing third-country transfers in order to be permissible under the GDPR and are widely used by hundreds of thousands of organisations. As the existing standard contractual clauses (the Old SCCs) were issued based on the European Data Protection Directive, they did not fully comply with the provisions of the GDPR. The Commission has now adopted and published final versions of two sets of SCCs:
In summary, the New SCCs:
The New SCCs become enforceable shortly, 20 days following their publication in the Official Journal of the European Union. After three months, on 24 September 2021, the Old SCCs will be repealed, although up until this point companies can continue to use the Old SCCs. By 24 December 2022, all Old SCCs must be converted to the New SCCs “provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards” or replaced with alternative safeguards such as binding corporate rules. Where organisations intend to utilise the New SCCs, they will have a total of 18 months to prepare the New SCCs and ensure that safeguards are in place to protect their data transfers.
A significant change is the consolidated modular approach of the New SCCs. Whereas the Old SCCs previously only captured two transfer scenarios (controller to controller and controller to processor transfers), the New SCCs combine the general clauses with four modules:
Overall, the four modules allow the New SCCs to be incorporated into a broader commercial contract. The ability for more than two parties to join and use the clauses reflects the reality of complex data processing chains. Additional clauses can be added provided they do not contravene the New SCCs or undermine the rights of data subjects.
The New SCCs will not apply to transfers of personal data from the United Kingdom to a third country, as the decision does not form part of retained EU law for Brexit purposes. The UK Information Commissioner's Office (ICO) has announced that it is preparing to publish bespoke UK SCCs for international transfers.
Significantly, the New SCCs incorporate a number of Schrems II obligations in order to comply with the requirements of the European Data Protection Board and European Court of Justice on third-country transfers as outlined in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18).
It is important to note that the New SCCs are ultimately only one aspect of the Schrems II judgment. The implementation of supplementary safeguards will often be necessary despite full compliance with the New SCCs. Companies must clearly understand and assess, on a case-by-case basis, whether the transfers will provide adequate protections for the privacy rights of individuals whose personal data is transferred pursuant to the SCCs.
The ICO has announced it will publish a UK set of SCCs this year. At this point, it is unclear whether the New SCCs will be adopted by the ICO for the time being and, therefore, applicable to UK-based controllers. It also remains to be seen whether the UK SCCs will be valid for data transfers from the United Kingdom that include EU GDPR-protected data to a third country, e.g. the United States.
Note that the UK’s adequacy bridge ends at the end of June and the final decision has not yet been published confirming that the United Kingdom remains an adequate jurisdiction for data transfers from the EEA.
Organisations will welcome the clarification on the changes to the SCCs and the extended transitional period of 18 months to replace the old SCCs, which provides greater flexibility to update their internal and external contracts than the one-year deadline date originally proposed. Organisations should make sure they audit their Old SCCs data transfers and start to prepare to implement the New SCCs. They also need to complete risk assessments and the implementation of any required safeguards to protect the data on transfer notwithstanding the New SCCs themselves.
Notwithstanding this, the New SCCs impose substantive obligations on companies and the hard deadline of 24 December 2022 to replace all new transfers with the updated SCCs is likely to create a significant compliance burden for data exporters and importers alike.
Trainee solicitor Christina Lewes contributed to this LawFlash.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Melis S. Kiziltay Carter